LiveActive security incident?Get immediate response
CVE Record

CVE-2022-50295: io_uring/msg_ring: Fix NULL pointer dereference in io_msg_send_fd()

In the Linux kernel, the following vulnerability has been resolved: io_uring/msg_ring: Fix NULL pointer dereference in io_msg_send_fd() Syzkaller produced the below call trace: BUG: KASAN: null-ptr-deref in io_msg_ring+0x3cb/0x9f0 Write of size 8 at addr 0000000000000070 by task repro/16399 CPU: 0 PID: 16399 Comm: repro Not tainted 6.1.0-rc1 #28 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 ? io_msg_ring+0x3cb/0x9f0 kasan_report+0xbc/0xf0 ? io_msg_ring+0x3cb/0x9f0 kasan_check_range+0x140/0x190 io_msg_ring+0x3cb/0x9f0 ? io_msg_ring_prep+0x300/0x300 io_issue_sqe+0x698/0xca0 io_submit_sqes+0x92f/0x1c30 __do_sys_io_uring_enter+0xae4/0x24b0 .... RIP: 0033:0x7f2eaf8f8289 RSP: 002b:00007fff40939718 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2eaf8f8289 RDX: 0000000000000000 RSI: 0000000000006f71 RDI: 0000000000000004 RBP: 00007fff409397a0 R08: 0000000000000000 R09: 0000000000000039 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004006d0 R13: 00007fff40939880 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: panic_on_warn set ... We don't have a NULL check on file_ptr in io_msg_send_fd() function, so when file_ptr is NUL src_file is also NULL and get_file() dereferences a NULL pointer and leads to above crash. Add a NULL check to fix this issue.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's Takemoderate

Analyst readout for executives and security teams

Plain-English summary

This Linux kernel flaw can let a local workload trigger a NULL pointer dereference in io_uring message-ring handling, causing a kernel crash under the reported conditions. The business impact is availability risk, not confirmed data theft or remote compromise in the supplied sources.

Executive priority

Treat this as a focused availability patching item. It is not supported as internet-remote or actively exploited in the supplied sources, but kernel crashes on shared infrastructure can still disrupt services.

Technical view

The issue is missing NULL validation for file_ptr in io_msg_send_fd(). When file_ptr is NULL, src_file is NULL and get_file() dereferences it, producing a KASAN null-ptr-deref in io_msg_ring. Kernel stable commits add the NULL check.

Likely exposure

Exposure is most likely on Linux systems running affected kernel versions identified in the bundle, including 6.0, 6.0.6, and 6.1. Risk is higher where untrusted local users, services, or container workloads can exercise io_uring.

Exploitation context

The bundle says Syzkaller produced a crash trace. It does not cite public exploitation, weaponized proof-of-concept activity, or CISA KEV listing. Active exploitation should not be assumed from the provided evidence.

Researcher notes

Evidence is strong for root cause and fix direction, but incomplete for CVSS, CWE, distro-specific ranges, and exploit prerequisites. Validate exact exposure against vendor kernel trees because distribution backports may not match upstream version numbers.

Mitigation direction

  • Update to a kernel containing the referenced stable fixes or vendor backports.
  • Check Linux distribution advisories for package names and fixed kernel builds.
  • Prioritize shared hosts and container platforms with untrusted local workloads.
  • If patching is delayed, follow vendor guidance for temporary exposure reduction.
  • Avoid direct wrangler or deployment assumptions; this is a kernel maintenance issue.

Validation and detection

  • Inventory Linux kernel versions across servers, containers hosts, and appliances.
  • Confirm whether installed kernels include either referenced stable commit or a vendor backport.
  • Review kernel logs for io_msg_ring, io_msg_send_fd, NULL dereference, or panic traces.
  • Identify systems allowing untrusted local users or workloads to use io_uring.
  • Track vendor advisories until affected version ranges are clarified for your distribution.
Prepared
Confidence
medium
Sources
4

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-50295 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
3Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxe6130eba8a848a7a6ba6c534bd8f6d60749ae1a9, e6130eba8a848a7a6ba6c534bd8f6d60749ae1a9unaffected
LinuxLinux6.0, 0, 6.0.6, 6.1affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.